Attack Vectors – Pt. 3 (Layers)

May 14, 2016

c1ph0r

The way I like to look at security is by imagining how a castle is protected. Castle security operates on multiple layers. However cliché this analogy may be, it is pretty effective. From the moat to the innermost towers, the kings and queens of old never trusted just one line of defense.

I know there are a lot of avenues to consider in regards to information security, but practice makes perfect. I know certain protocols are challenging especially when you have to trade convenience for security, but the more you do it, the easier it gets.

The largest and most involved phase of a breach is the reconnaissance phase. The attackers gather anything that can be used to help the operation in later phases. This week we will be continuing our look at common attack vectors and ways we can protect ourselves from some of those reconnaissance methods:

Dumpster Diving

Attackers will often go through the garbage of a potential target. Private investigators are also known to use this trick and if you think about what gets casually thrown away by most of us you can see why. So much information can be learned about a target from their trash. The obvious confidential information contained in bills and medical statements, but also personal notes, passwords, calendars, receipts, etc.

To defend against this invest in a decent crosscut shredder if you’re in a home or small office setting. If you’re in a bigger commercial or enterprise setting, in addition to a high end shredder you should consider a contract with a document destruction service. Even the smallest detail could be used to leverage access.

Shoulder Surfing

Shoulder surfing is the art of gathering information by looking over someones shoulder as they use a computer, ATM/POS, telephone, cell phone, combination locks and while writing/filling out forms. This is especially effective in crowded situations, but even a lone target could be surveilled by a determined and well equipped attacker with binoculars and/or hidden cameras. There are even techniques for using thermal imaging cameras (which they make for your smart phone) to deduce a pin/code/password by the heat signatures left by your fingertips:

Always be aware of your surroundings and protect all keypads you operate with your non-dominant hand. If you’re worried about a thermal analysis, you can always briefly cover all the keys with your hand before walking away. As far as protecting your computer or laptop screen, there a various types of privacy shields available that obscure what can be seen if not viewed from the right angle.

Whois

Try your own (or a random) website and see what kind of information is freely and publicly available. If you try some of the bigger sites you’ll notice that many use a proxy for their registration. A proxy registers for you and the only information that can be found belongs to them and reveals nothing about you or your organization. I recommend you do the same to protect any and all information that could be used in another attack vector such as social engineering.

Also be cognizant of the Wayback Machine over at the Internet Archive. Anything you put on your website may be archived forever. Even if you change things, old versions of your site could still be accessed and often are by attackers.

Jobs/Forums

Another common area used to gather information are job sites and forums. Many companies will within a job listing completely describe their server environment, applications, firewall/security appliances, sometimes even version information and third-party vendors. All of this information is extremely valuable when planning an operation.

Also, if you post on sites such as Spiceworks, TechNet, and Experts Exchange be aware that if you reveal too much about your systems or company this can be a gold mine for bad guys. Be sure to never use a user name tied to other known accounts or that give you away. Also be extremely careful when posting logs. If you’re not sure if what you’re posting is sensitive, please consult your IT administrator. Better safe than sorry.

Social Networking

I know this is old, but it’s still valid to this day:

If you have any specific questions or ideas for future posts, please send your ideas to opensourcesec@protonmail.comThanks for reading. Stay safe.